On April 17, 2023, the HHS Cybersecurity Task Force released the updated Health Industry Cybersecurity Practices (HICP) 2023 Edition and the Hospital Cyber Resiliency Initiative Landscape Analysis. It is a collection of real best practices within the industry compiled as a voluntary activity by public and private security professionals rather than as a regulation or baseline target. It doesn't contain anything especially new, but it does provide practical references for multiple audiences (physicians, managers, technicians) and adapted to the size and complexity of organizations.
In this blog, I provide an overview and updated points to these resources, and explore the cybersecurity needs of the healthcare industry.
What is HICP?
HICP is best practice for the healthcare industry. It is one of the deliverables in a program to strengthen cybersecurity posture initiated as a congressional mandate under Section 405(d) of the Cybersecurity Act of 2015. The 405(d) Task Group is a joint effort of the U.S. Department of Health and Human Services, the Health Sector Coordinating Council, and members of his more than 200 cybersecurity and healthcare professionals.
Moreover, Health Industry Cybersecurity Practice (HICP) is an output of their activity. The 1st edition was published in 2019. HICP consists of three documents: Mian document, Technical Volume 1 (for small organization), and Technical Volume 2 (for medium and large organization), and these practices are aligned with NIST CSF(Cybersecurity Framework).
In light of recent threats and situations in the healthcare industry, it has been updated as the 2023 edition.
HICP 2023 edition
HICP presents 5 threats most relevant to the healthcare industry and 10 mitigations to prevent them.
- Top 5 Threats
- Social Engineering
- Ransomware
- Loss or theft of equipment or data
- Insider accidental or malicious data loss
- Attack against connected medical devices
- Top 10 mitigations
- Email Protection Systems
- Endpoint Protection Systems
- Access Management
- Data Protection and Loss Prevention
- Asset Management
- Network Management
- Vulnerability Management
- Security Operation Centers and Incident Response
- Network Connected Medical Devices
- Cybersecurity Oversight and Governance
First, the Main document recommended incorporating Zero Trust, and Defense in Depth into your Cybersecurity strategy.
An update in Threat is that what was formerly titled Email Phishing has been expanded to Social Engineering. Social engineering threats encompass more than email phishing. (Some new items addressed by this new threat: Smishing, Whaling, BEC and more.)
As mitigation, Network Connected Medical Devices added more details. Many IoT devices interact with the physical world in ways that traditional IT devices do not typically do, and IoT devices can modify physical systems and affect the physical world. Additionally, operational requirements for performance, reliability, resilience, and safety can conflict with typical cybersecurity and privacy practices for traditional IT devices. It recommends that they fix or mitigate these vulnerabilities before connecting to their network.
Other mitigations updates and additions includes Attack Simulations, Cyber insurance, Risk assessment and management, etc.
Landscape Analysis
The HHS 405(d) program conducted a landscape analysis to review active threats attacking hospitals and the cybersecurity capabilities of hospitals operating in the United States. They also benchmarked these results to specific practices from the Health Industry Cybersecurity Practices (HICP).
The report said that based on the 2023 Censinet/AHA/KLAS survey, on average, hospitals claim to cover 72.05% of HICP practices, with email protection having the highest coverage and medical equipment It has the lowest security.
The same study shows that 59.64% of medical technology used in hospitals has some form of antivirus solution or other alternative control. Additionally, 60.18% of hospitals said they regularly patch their medical technology when patches are released by their manufacturers. Lastly 52.41% of hospitals say they separate their medical technology from their general access network.
This analysis report suggests that these basic hygiene controls still pose significant challenges to medical technology security.
Trend Micro defines the technologies and systems that should be protected in hospitals into five areas and summarizes each security control implementation method and approach from a comprehensive perspective as a technical report. Please use it as one of the resources for advancing the implementation of the practice.
References:
- HHS 405(d)
- HHS Cybersecurity Task Force Provides New Resources to Help Address Rising Threat of Cyberattacks in Health and Public Health Sector